19. • Create Hosts Anywhere
• Docker Machine can create hosts on most major
virtualization hypervisors and in cloud service
providers. Docker Machine has driver support for
• AWS, Digital Ocean, Google Cloud Platform, IBM Softlayer, Microsoft Azure
and Hyper-V, OpenStack, Rackspace, VirtualBox, VMware Fusion®, vCloud®
Air™ and vSphere®
Docker Machine
26. Docker Registry is an open source application dedicated
to the storage and distribution of your Docker images.
Its seamless architecture allows both for fine grain
integration with other systems and high-level scalability.
Aggressively developed, its vibrant community includes
industry leaders and users using it at the core of their
images distribution solutions.
Docker Registry
34. • Compose facilitates the orchestration of linked
containers
• Compose allows to have a single script for all
the environments
• Developers can start/stop/rebuild containers
without any deep knowledge of Docker
Docker Compose
43. • Docker Images signing and verifying
• Key compromise protection
• Content trust allows operations with a remote Docker registry to enforce
client-side signing and verification of image tags. Content trust provides the
ability to use digital signatures for data sent to and received from remote
Docker registries. These signatures allow client-side verification of the
integrity and publisher of specific image tags.
• https://blog.docker.com/2015/08/content-trust-docker-1-8/
Docker Content Trust
44. • Hardware crypto + docker content trust
• Hardware root key (usb security device) used for
starting key ladder
• Allows quickly changing/updating keys so it won’t be
possible pushing images with the old keys (that were
compromised)
Docker Security
45. • Sign docker images before pushing images to
repos
• Uses root key inside the yubikey for creating
new singing keys to sign the images
• To see existing keys: notary key list
Docker Security
46. • Project Nautilus
• Built-in container security analysis
• Soon will be as a self service
• Deep content analysis
• Checks against its own vulnerability db
Docker Security Analysis
48. • New Docker Networking APIs
• Multi-Host networking
• Networks are scoped: Local / Global
• Container can participate in multiple
networks
Docker Networking
49. • VXLAN Layer 2 over Layer 4
• VXLAN is a network virtualization technology that attempts to
ameliorate the scalability problems associated with large cloud
computing deployments. It uses a VLAN-like encapsulation
technique to encapsulate MAC-based OSI layer 2 Ethernet
frames within layer 4 UDP packets, using 4789 as the
default IANA-assigned destination UDP port number.[1]
Docker Networking uses VXLAN
57. • Management Platform – deploy and manage
dockerized apps in production
• running containers on any infrastructure
• Infrastructure agnostic (on premises, cloud)
• Language agnostic
Universal Control Plane
58. • Provisioning of compute, network, and storage on any infrastructure, with
integration of enterprise security and monitoring
• Support for any:
• application: stateful and stateless, legacy and next-generation, for any
programming language
• bare-metal server, VM or cloud instance
• Linux distribution and Windows Server and Solaris
• stage of the application lifecycle, from dev to test to QA to staging to
production
Docker Universal Control Plane
59. • Enterprise ready (LDAP/AD authN) on premise
deployment integrated with Trusted Registry
• Security – TLS
• Resource Management (visibility and
monitoring)
• HA
Docker Universal Control Plane
61. • Forwarder Layer 4 OSI
• IPVS is incorporated into the Linux Virtual Server (LVS), where it
runs on a host and acts as a load balancer in front of a cluster
of real servers. IPVS can direct requests for TCP- and UDP-based
services to the real servers, and make services of the real
servers appear as virtual services on a single IP address. IPVS is
built on top of the Netfilter.[1]
•
IP Virtual Server (IPVS)
62. • IPIP mode: Returns packets directly to
client (rather that via LB)
• DNAT
• DSR
IP Virtual Server - Modes
67. • Commit to Github ->
• Jenkins Build with unit tests ->
• Build docker image ->
• After all the desired components are
stablely built run docker compose
Jenkins Flow